Empirical Characterization of the Likelihood of Vulnerability Discovery

Abstract

Assessing the risk of the likelihood of a vulnerability discovery is very important for decision-makers to prioritize which vulnerability should be investigated and fixed first. Currently, the likelihood of vulnerability discovery is being assessed based on expert opinion which could potentially hinder its accuracy. In this study, we propose using Time to Vulnerability Disclosure (TTVD) as a proxy for assessing the likelihood of vulnerability discovery. We will then empirically explore characterizing TTVD using intrinsic vulnerability attributes including CVSS Base metrics and vulnerabilities types. We examine 799 reported vulnerabilities of Chrome and 156 vulnerabilities of the Apache HTTP server. The results show that TTVD correlated at a statistically significant level to some of the intrinsic attributes, namely, access complexity metric, confidentiality, and integrity metrics, and the vulnerabilities' types. Our results from machine learning analysis also show ranges of TTVD values are associated with specific combined values of the metrics under consideration.